Date: Wed, 19 Jun 2019 10:42:57 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: freebsd-security@freebsd.org Subject: Re: Untrusted terminals: OPIE vs security/pam_google_authenticator Message-ID: <20190619034257.GA67083@admin.sibptus.ru> In-Reply-To: <nycvar.OFS.7.76.444.1906181941030.12587@mx.roble.com> References: <20190618075954.GA30296@admin.sibptus.ru> <CA%2BQLa9AkOwM14nxgXmmiH8TFewaT6HGjq7vzRQ5u4YNFNh-W-w@mail.gmail.com> <20190619020512.GA64608@admin.sibptus.ru> <nycvar.OFS.7.76.444.1906181941030.12587@mx.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Qxx1br4bt0+wmkIi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Roger Marquis wrote: > > In my case, no page is involved, just the FreeOTP app on my Android > > phone (which is less convenient than a sheet of paper with OPIE > > passwords, but I can live with that). >=20 > FreeOTP and FreeOTP+ are IMO the best OTP apps out there. They require > no privacy invading "push" notifications and are open source. =20 Would you rely on security/pam_google_authenticator+FreeOTP as the *single* authentication for ssh (not as an extra authentication factor)? In other words, as a "sufficient" PAM module? > Just wish > more sites would publish numeric codes instead of gimmicky QR codes. Oh, I love the QR codes google-authenticator generates in character-based terminals. Very stylish, and convenient to scan with the FreeOTP app. Do you know if there is a FreeOTP generator for the FreeBSD console, like /usr/bin/otp-md5 ? >=20 > That said there are still plenty of us who also use OPIE. The passcodes > are a solid T/HOTP fallback, aren't subject to seizure by border agents > having a bad day, can be easily copied and stored on paper and have zero > dependencies on 3rd parties. >=20 > That's not to say that OPIE should be kept in base though. There's > already way too much unused legacy cruft in FreeBSD base. Ports are the > right tool for that job. Is there a way to keep some software in ports, if the original project is dead? --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --Qxx1br4bt0+wmkIi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJdCa9BAAoJEA2k8lmbXsY0ncgIAIp5HTggVhTDHpsww4ibnHY6 wHp96WhStUcmA6ARqbfgK79XtYreqCm/+Oeb2KSvYRigjAEk0rqicQbG9IAd/riX IBAxpX6tjVg3bl6jI33T4/dEX13hHz+vsSJIzQvwJsG9h8xBzHOWRSAKIyFM6nB9 iPl4Qs7Xb+dWfDj4uoSU7FKdnBKClrWDmJhNXSKVOKYx/inku277LxDU7W1cJthq Cthfo5D4o33NRs2no+HfxPxvzkpWs40pJJPwmF5UfSHhYett3bJXPRNbl0jWZ++B k80G/oPbPEy0hDW5w1W07uGNgKQPayA5V4MfCCpfnVLaDsxGAj4ypezmGfmwA2s= =rwJw -----END PGP SIGNATURE----- --Qxx1br4bt0+wmkIi--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190619034257.GA67083>